If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Windows Shares - Everyone Group

Hi All,

Windows users generally make the extensive use of file sharing. I wanted to know whether there is anyway to remove "Everyone" group being listed which comes by default when creating file sharing on Windows XP/2003 machines. Right now when anyone creates shares, "Everyone" group appears by default even though with Read permissions. But still from security perspective it is not good if someone accidentally shares some sensitive data and forgets to give proper permission on the user workstations. Can this be done through GPO??

Yes, it is possible, but undocumented. I actually have never seen
the following on the web.

What you find[1,2] are information about a registry binary calledSrvsvcDefaultShareInfo. This binary defines the default permission
when creating a new share (resp. for all old shares with the
default security descriptor).

What value to use?

Do the following:
1. Create a new share "test" and give it the default permission you want
2. Go to the following registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security
and export the binary called "test".
3. Use this value for
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\DefaultSecurity\SrvsvcDefaultShareInfo

(best way: export/import the key).
4. Setup you GPO accordingly.

As an additional remark: After passing the share-permission, the user still
has to pass the filesystem permissions.

I seem to remember MS best practice is to give everyone account access to resource, and use group policy to control access
so that you are only having to consider ONE thread of permissions, not both
because there are things to remember when altering permissions
RSoP [Resultant Set of Policy] tool can quickly determine just what your policies have actually allowed